cbac 0.6.10 → 0.7.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.gitignore +4 -0
- data/.rspec +1 -0
- data/Gemfile +0 -4
- data/README.rdoc +3 -2
- data/Rakefile +1 -1
- data/cbac.gemspec +21 -28
- data/lib/cbac.rb +14 -6
- data/lib/cbac/cbac_pristine/pristine_file.rb +2 -2
- data/lib/cbac/cbac_pristine/pristine_permission.rb +29 -13
- data/lib/cbac/cbac_pristine/pristine_role.rb +1 -1
- data/lib/cbac/generic_role.rb +0 -1
- data/lib/cbac/known_permission.rb +2 -2
- data/lib/cbac/privilege.rb +2 -1
- data/lib/cbac/privilege_set.rb +1 -1
- data/lib/cbac/version.rb +1 -1
- data/lib/generators/cbac/copy_files/controllers/generic_roles_controller.rb +7 -2
- data/lib/generators/cbac/copy_files/migrate/create_cbac_from_scratch.rb +7 -7
- data/lib/generators/cbac/copy_files/tasks/cbac.rake +1 -1
- data/migrations/20110211105533_add_pristine_files_to_cbac_upgrade_path.rb +1 -1
- data/spec/cbac_authorization_check_spec.rb +7 -8
- data/spec/cbac_pristine_file_spec.rb +94 -92
- data/spec/cbac_pristine_permission_spec.rb +102 -100
- data/spec/cbac_pristine_role_spec.rb +23 -24
- data/spec/fixtures/controllers/dating/daughter_controller.rb +3 -2
- data/tasks/cbac.rake +1 -1
- data/test/test_helper.rb +1 -1
- metadata +57 -94
- data/Gemfile.lock +0 -121
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: 8c041fd3a4befc2208c468e57a7a6a49168d2bd5
|
4
|
+
data.tar.gz: c97a35227f58f9f04083e4e88cc1bc42e26a8e2a
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: 0fa615f6784d84775c61971e234ae419de6ae748ea2229b3cabfa2947c632932a488c68ee814959377cba1239289c82971d34c7aa64fbe322e2e98acecb22ff5
|
7
|
+
data.tar.gz: 8d2c9e5b8aa393d896d1e4803536ddafaece144cb4fbfdaa48657eb160c5c9e2cb15b61747b49a5191353deaea469f55e251285e5033b8f854e800704d74edf2
|
data/.gitignore
ADDED
data/.rspec
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
--color
|
data/Gemfile
CHANGED
data/README.rdoc
CHANGED
@@ -4,8 +4,9 @@
|
|
4
4
|
Easy to use, light-weight authorization system for Rails applications.
|
5
5
|
|
6
6
|
== Update
|
7
|
-
Version 0.
|
8
|
-
|
7
|
+
Version 0.7 contains several updates on the system. This is driven by the
|
8
|
+
wish to be compliant with Rails 4.2, the oldest Rails version that is
|
9
|
+
currently under support.
|
9
10
|
|
10
11
|
== FEATURES:
|
11
12
|
- Authorize users via roles/ groups
|
data/Rakefile
CHANGED
data/cbac.gemspec
CHANGED
@@ -1,34 +1,27 @@
|
|
1
1
|
# -*- encoding: utf-8 -*-
|
2
2
|
|
3
3
|
Gem::Specification.new do |s|
|
4
|
-
s.name
|
5
|
-
s.version = "0.
|
4
|
+
s.name = "cbac"
|
5
|
+
s.version = "0.7.0"
|
6
6
|
|
7
|
-
s.
|
8
|
-
s.
|
9
|
-
s.
|
10
|
-
s.
|
11
|
-
s.
|
12
|
-
s.
|
13
|
-
s.
|
14
|
-
s.
|
15
|
-
s.
|
16
|
-
s.
|
17
|
-
s.
|
18
|
-
s.
|
19
|
-
s.summary
|
20
|
-
s.test_files
|
7
|
+
s.authors = ["Bert Meerman"]
|
8
|
+
s.date = "2016-08-15"
|
9
|
+
s.description = "Simple authorization system for Rails applications. Allows you to develop applications with a mixed role based authorization and a context based authorization model. Does not supply authentication."
|
10
|
+
s.email = "bertm@rubyforge.org"
|
11
|
+
s.files = `git ls-files`.split("\n")
|
12
|
+
s.homepage = "http://cbac.rubyforge.org"
|
13
|
+
s.license = "MIT"
|
14
|
+
s.rdoc_options = ["--line-numbers", "--inline-source", "--title", "Cbac", "--main", "README.rdoc"]
|
15
|
+
s.require_paths = ["lib"]
|
16
|
+
s.required_ruby_version = ">= 1.9.3"
|
17
|
+
s.required_rubygems_version = ">= 1.8.11"
|
18
|
+
s.rubyforge_project = "cbac"
|
19
|
+
s.summary = "CBAC - Simple authorization system for Rails applications."
|
20
|
+
s.test_files = `git ls-files -- test/*.*`.split("\n")
|
21
21
|
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
s.add_development_dependency("rspec-rails")
|
28
|
-
s.add_development_dependency("sqlite3")
|
29
|
-
s.add_development_dependency("database_cleaner")
|
30
|
-
else
|
31
|
-
end
|
32
|
-
else
|
33
|
-
end
|
22
|
+
s.add_development_dependency("database_cleaner", "~> 1.5")
|
23
|
+
s.add_development_dependency("rspec-rails", "~> 3")
|
24
|
+
s.add_development_dependency("sqlite3", "~> 1.3")
|
25
|
+
s.add_runtime_dependency("echoe", "~> 4")
|
26
|
+
s.add_runtime_dependency("rails", "~> 4.2")
|
34
27
|
end
|
data/lib/cbac.rb
CHANGED
@@ -47,14 +47,18 @@ module Cbac
|
|
47
47
|
check_privilege_sets([PrivilegeSet.sets[privilege_set.to_sym]], context)
|
48
48
|
end
|
49
49
|
|
50
|
+
def permitted_for_generic_role?(privilege_set, context)
|
51
|
+
Cbac::GenericRole.joins(:generic_role_members, :permissions).exists?(
|
52
|
+
'cbac_memberships.user_id' => current_user(context),
|
53
|
+
'cbac_permissions.privilege_set_id' => privilege_set.id
|
54
|
+
)
|
55
|
+
end
|
56
|
+
|
50
57
|
# Check the given privilege_sets
|
51
58
|
def check_privilege_sets(privilege_sets, context = {})
|
52
59
|
# Check the generic roles
|
53
60
|
return true if privilege_sets.any? { |set|
|
54
|
-
|
55
|
-
'cbac_memberships.user_id' => current_user,
|
56
|
-
'cbac_permissions.privilege_set_id' => set.id
|
57
|
-
)
|
61
|
+
permitted_for_generic_role?(set, context)
|
58
62
|
}
|
59
63
|
|
60
64
|
# Check the context roles Get the permissions
|
@@ -89,8 +93,12 @@ module Cbac
|
|
89
93
|
end
|
90
94
|
|
91
95
|
# Default implementation of the current_user method
|
92
|
-
def current_user_id
|
93
|
-
|
96
|
+
def current_user_id(context = {})
|
97
|
+
context[:cbac_user].to_i
|
98
|
+
end
|
99
|
+
|
100
|
+
def current_user(context = {})
|
101
|
+
current_user_id(context)
|
94
102
|
end
|
95
103
|
|
96
104
|
# Load controller classes and methods
|
@@ -133,7 +133,7 @@ module Cbac
|
|
133
133
|
# if not, the context role is not found by CBAC and thus will not work
|
134
134
|
|
135
135
|
# this may be a context role that's already in the database
|
136
|
-
context_role = use_db ? PristineRole.
|
136
|
+
context_role = use_db ? PristineRole.where(role_type: PristineRole.ROLE_TYPES[:context], name: context_role_name.captures[0]).first : nil
|
137
137
|
|
138
138
|
# this may still be a context role we've seen before...
|
139
139
|
context_role = @context_roles.select do |cr| cr.role_type == PristineRole.ROLE_TYPES[:context] and cr.name == context_role_name.captures[0] end.first if context_role.nil?
|
@@ -166,7 +166,7 @@ module Cbac
|
|
166
166
|
return generic_cbac_role
|
167
167
|
end
|
168
168
|
end
|
169
|
-
role = use_db ? PristineRole.
|
169
|
+
role = use_db ? PristineRole.where(role_type: PristineRole.ROLE_TYPES[:generic], name: generic_role.captures[0]).first : nil
|
170
170
|
|
171
171
|
if role.nil?
|
172
172
|
role = PristineRole.new do |role|
|
@@ -11,7 +11,7 @@ module Cbac
|
|
11
11
|
belongs_to :pristine_file, :class_name => "Cbac::CbacPristine::AbstractPristineFile"
|
12
12
|
|
13
13
|
def privilege_set
|
14
|
-
Cbac::PrivilegeSetRecord.
|
14
|
+
Cbac::PrivilegeSetRecord.where(name: privilege_set_name).first
|
15
15
|
end
|
16
16
|
|
17
17
|
def operation_string
|
@@ -48,25 +48,38 @@ module Cbac
|
|
48
48
|
# checks if the current cbac permissions contains a permission which is exactly like this one
|
49
49
|
def cbac_permission_exists?
|
50
50
|
if pristine_role.role_type == PristineRole.ROLE_TYPES[:context]
|
51
|
-
Cbac::Permission.
|
51
|
+
Cbac::Permission.joins(:privilege_set).where('cbac_privilege_set.name = ?', privilege_set_name).where(context_role: pristine_role.name).count > 0
|
52
52
|
else
|
53
|
-
Cbac::Permission.
|
53
|
+
Cbac::Permission.joins(:generic_role, :privilege_set).where('cbac_privilege_set.name = ?', privilege_set_name).where('cbac_generic_roles.name' => pristine_role.name).count > 0
|
54
54
|
end
|
55
55
|
end
|
56
56
|
|
57
57
|
# checks if a pristine permission with the same properties(except line_number) exists in the database
|
58
58
|
def exists?
|
59
|
-
Cbac::CbacPristine::PristinePermission.
|
59
|
+
Cbac::CbacPristine::PristinePermission.where(
|
60
|
+
privilege_set_name: privilege_set_name,
|
61
|
+
pristine_role_id: pristine_role_id,
|
62
|
+
operation: operation)
|
63
|
+
.count > 0
|
60
64
|
end
|
61
65
|
|
62
66
|
# checks if a pristine permission with the exact same properties(except line_number), but the reverse operation exists in the database
|
63
67
|
def reverse_exists?
|
64
|
-
Cbac::CbacPristine::PristinePermission.
|
68
|
+
Cbac::CbacPristine::PristinePermission.where(
|
69
|
+
privilege_set_name: privilege_set_name,
|
70
|
+
pristine_role_id: pristine_role_id,
|
71
|
+
operation: reverse_operation)
|
72
|
+
.count > 0
|
65
73
|
end
|
66
74
|
|
67
75
|
# delete the pristine permission with the reverse operation of this one
|
68
76
|
def delete_reverse_permission
|
69
|
-
reverse_permission = Cbac::CbacPristine::PristinePermission.
|
77
|
+
reverse_permission = Cbac::CbacPristine::PristinePermission.where(
|
78
|
+
privilege_set_name: privilege_set_name,
|
79
|
+
pristine_role_id: pristine_role_id,
|
80
|
+
operation: reverse_operation)
|
81
|
+
.first
|
82
|
+
|
70
83
|
reverse_permission.delete
|
71
84
|
end
|
72
85
|
|
@@ -86,7 +99,10 @@ module Cbac
|
|
86
99
|
|
87
100
|
# checks if the known_permissions table has an entry for this permission
|
88
101
|
def known_permission_exists?
|
89
|
-
Cbac::KnownPermission.
|
102
|
+
Cbac::KnownPermission.where(
|
103
|
+
:permission_type => pristine_role.known_permission_type,
|
104
|
+
:permission_number => line_number
|
105
|
+
).count > 0
|
90
106
|
end
|
91
107
|
|
92
108
|
# accept this permission and apply to the current cbac permission set
|
@@ -120,8 +136,8 @@ module Cbac
|
|
120
136
|
if pristine_role.role_type == PristineRole.ROLE_TYPES[:context]
|
121
137
|
permission.context_role = pristine_role.name
|
122
138
|
else
|
123
|
-
generic_role = Cbac::GenericRole.
|
124
|
-
permission.generic_role = generic_role
|
139
|
+
generic_role = Cbac::GenericRole.where(name: pristine_role.name).first
|
140
|
+
permission.generic_role = generic_role || Cbac::GenericRole.where(name: pristine_role.name, remarks: "Autogenerated by Cbac loading / upgrade system").create
|
125
141
|
end
|
126
142
|
|
127
143
|
register_change if permission.save
|
@@ -178,7 +194,7 @@ module Cbac
|
|
178
194
|
|
179
195
|
# clear the staging area of all generic pristine permissions
|
180
196
|
def self.delete_generic_permissions
|
181
|
-
generic_staged_permissions =
|
197
|
+
generic_staged_permissions = joins(:pristine_role).where("cbac_staged_roles.role_type = ?", PristineRole.ROLE_TYPES[:generic])
|
182
198
|
generic_staged_permissions.each do |permission|
|
183
199
|
delete(permission.id)
|
184
200
|
end
|
@@ -186,18 +202,18 @@ module Cbac
|
|
186
202
|
|
187
203
|
# clear the staging area of all non generic permissions
|
188
204
|
def self.delete_non_generic_permissions
|
189
|
-
staged_permissions =
|
205
|
+
staged_permissions = joins(:pristine_role).where("cbac_staged_roles.role_type != ?", PristineRole.ROLE_TYPES[:generic])
|
190
206
|
staged_permissions.each do |permission|
|
191
207
|
delete(permission.id)
|
192
208
|
end
|
193
209
|
end
|
194
210
|
|
195
211
|
def self.count_generic_permissions
|
196
|
-
|
212
|
+
joins(:pristine_role).where("cbac_staged_roles.role_type = ?", PristineRole.ROLE_TYPES[:generic]).count
|
197
213
|
end
|
198
214
|
|
199
215
|
def self.count_non_generic_permissions
|
200
|
-
|
216
|
+
joins(:pristine_role).where("cbac_staged_roles.role_type != ?", PristineRole.ROLE_TYPES[:generic]).count
|
201
217
|
end
|
202
218
|
end
|
203
219
|
end
|
@@ -33,7 +33,7 @@ module Cbac
|
|
33
33
|
end
|
34
34
|
|
35
35
|
def self.admin_role(use_db = true)
|
36
|
-
admin_role = use_db ? PristineRole.
|
36
|
+
admin_role = use_db ? PristineRole.where(role_type: PristineRole.ROLE_TYPES[:admin]).first : nil
|
37
37
|
|
38
38
|
admin_role || PristineRole.new do |role|
|
39
39
|
role.role_id = 1
|
data/lib/cbac/generic_role.rb
CHANGED
@@ -1,6 +1,5 @@
|
|
1
1
|
class Cbac::GenericRole < ActiveRecord::Base
|
2
2
|
self.table_name = "cbac_generic_roles"
|
3
|
-
attr_accessible :remarks, :name
|
4
3
|
|
5
4
|
has_many :generic_role_members, :class_name => "Cbac::Membership", :foreign_key => "generic_role_id"
|
6
5
|
has_many :permissions, :class_name => "Cbac::Permission", :foreign_key => "generic_role_id"
|
@@ -6,10 +6,10 @@ class Cbac::KnownPermission < ActiveRecord::Base
|
|
6
6
|
@@PERMISSION_TYPES = {:context => 0, :generic => 1}
|
7
7
|
|
8
8
|
def self.find_context_permissions(conditions = {})
|
9
|
-
|
9
|
+
where(conditions.merge(:permission_type => @@PERMISSION_TYPES[:context])).all
|
10
10
|
end
|
11
11
|
|
12
12
|
def self.find_generic_permissions(conditions = {})
|
13
|
-
|
13
|
+
where(conditions.merge(:permission_type => @@PERMISSION_TYPES[:generic])).all
|
14
14
|
end
|
15
15
|
end
|
data/lib/cbac/privilege.rb
CHANGED
@@ -88,7 +88,8 @@ class Privilege
|
|
88
88
|
def select(controller_method, action_type)
|
89
89
|
action_type = action_type.to_s
|
90
90
|
post_methods = ["post", "put", "delete", "patch"]
|
91
|
-
|
91
|
+
get_methods = ["get", "head"]
|
92
|
+
if get_methods.include? action_type
|
92
93
|
privilege_sets = Privilege.get_resources[controller_method]
|
93
94
|
else if post_methods.include?(action_type)
|
94
95
|
privilege_sets = Privilege.post_resources[controller_method]
|
data/lib/cbac/privilege_set.rb
CHANGED
@@ -19,7 +19,7 @@ class Cbac::PrivilegeSet
|
|
19
19
|
# check for double creation
|
20
20
|
raise ArgumentError, "CBAC: PrivilegeSet was already defined: #{symbol.to_s}" if @sets.include?(symbol)
|
21
21
|
# Create record if privilege set doesn't exist
|
22
|
-
record = Cbac::PrivilegeSetRecord.
|
22
|
+
record = Cbac::PrivilegeSetRecord.find_or_create_by(name: symbol.to_s)
|
23
23
|
record.set_comment(comment)
|
24
24
|
record.save
|
25
25
|
|
data/lib/cbac/version.rb
CHANGED
@@ -10,13 +10,13 @@ class Cbac::GenericRolesController < ApplicationController
|
|
10
10
|
# POST /update
|
11
11
|
def update
|
12
12
|
@role = Cbac::GenericRole.find(params[:id])
|
13
|
-
@role.update_attributes(
|
13
|
+
@role.update_attributes(role_params)
|
14
14
|
redirect_to :action => "index"
|
15
15
|
end
|
16
16
|
|
17
17
|
# POST /create
|
18
18
|
def create
|
19
|
-
@role = Cbac::GenericRole.new(
|
19
|
+
@role = Cbac::GenericRole.new(role_params)
|
20
20
|
@role.save
|
21
21
|
redirect_to :action => "index"
|
22
22
|
end
|
@@ -27,4 +27,9 @@ class Cbac::GenericRolesController < ApplicationController
|
|
27
27
|
@role.delete
|
28
28
|
redirect_to :action => "index"
|
29
29
|
end
|
30
|
+
|
31
|
+
private
|
32
|
+
def role_params
|
33
|
+
params.required(:cbac_generic_role).permit(:name, :remarks)
|
34
|
+
end
|
30
35
|
end
|
@@ -5,7 +5,7 @@ class CreateCbacFromScratch < ActiveRecord::Migration
|
|
5
5
|
t.integer :generic_role_id, :default => 0
|
6
6
|
t.string :context_role
|
7
7
|
t.integer :privilege_set_id
|
8
|
-
t.timestamps
|
8
|
+
t.timestamps null: false
|
9
9
|
end
|
10
10
|
end
|
11
11
|
|
@@ -13,7 +13,7 @@ class CreateCbacFromScratch < ActiveRecord::Migration
|
|
13
13
|
create_table :cbac_generic_roles do |t|
|
14
14
|
t.string :name
|
15
15
|
t.text :remarks
|
16
|
-
t.timestamps
|
16
|
+
t.timestamps null: false
|
17
17
|
end
|
18
18
|
end
|
19
19
|
|
@@ -21,7 +21,7 @@ class CreateCbacFromScratch < ActiveRecord::Migration
|
|
21
21
|
create_table :cbac_memberships do |t|
|
22
22
|
t.integer :user_id
|
23
23
|
t.integer :generic_role_id
|
24
|
-
t.timestamps
|
24
|
+
t.timestamps null: false
|
25
25
|
end
|
26
26
|
end
|
27
27
|
|
@@ -29,7 +29,7 @@ class CreateCbacFromScratch < ActiveRecord::Migration
|
|
29
29
|
create_table :cbac_privilege_set do |t|
|
30
30
|
t.string :name
|
31
31
|
t.string :comment
|
32
|
-
t.timestamps
|
32
|
+
t.timestamps null: false
|
33
33
|
end
|
34
34
|
end
|
35
35
|
|
@@ -37,7 +37,7 @@ class CreateCbacFromScratch < ActiveRecord::Migration
|
|
37
37
|
create_table :cbac_pristine_files do |t|
|
38
38
|
t.string :type
|
39
39
|
t.string :file_name
|
40
|
-
t.timestamps
|
40
|
+
t.timestamps null: false
|
41
41
|
end
|
42
42
|
end
|
43
43
|
|
@@ -49,7 +49,7 @@ class CreateCbacFromScratch < ActiveRecord::Migration
|
|
49
49
|
t.integer :line_number
|
50
50
|
t.string :comment
|
51
51
|
t.text :operation, :limit => 2
|
52
|
-
t.timestamps
|
52
|
+
t.timestamps null: false
|
53
53
|
end
|
54
54
|
end
|
55
55
|
|
@@ -58,7 +58,7 @@ class CreateCbacFromScratch < ActiveRecord::Migration
|
|
58
58
|
t.string :role_type
|
59
59
|
t.string :name
|
60
60
|
t.integer :role_id
|
61
|
-
t.timestamps
|
61
|
+
t.timestamps null: false
|
62
62
|
end
|
63
63
|
end
|
64
64
|
|
@@ -16,7 +16,7 @@
|
|
16
16
|
|
17
17
|
# Get a privilege set that fulfills the provided conditions
|
18
18
|
def get_privilege_set(conditions)
|
19
|
-
Cbac::PrivilegeSetRecord.
|
19
|
+
Cbac::PrivilegeSetRecord.where(conditions).first
|
20
20
|
end
|
21
21
|
|
22
22
|
# Get a Hash containing all entries from the provided table
|
@@ -40,29 +40,28 @@ describe Cbac do
|
|
40
40
|
:controller => "dating/daughter_controller",
|
41
41
|
:action => "take_to_dinner"
|
42
42
|
}
|
43
|
+
allow(@controller).to receive(:current_user).and_return(nil)
|
43
44
|
end
|
44
45
|
|
45
46
|
context "and the contextual requirements are fulfilled" do
|
46
47
|
before :each do
|
47
|
-
ideal_son_in_law =
|
48
|
-
@controller.
|
48
|
+
ideal_son_in_law = double('user', :brought_flowers? => true)
|
49
|
+
allow(@controller).to receive(:candidate).and_return(ideal_son_in_law)
|
49
50
|
end
|
50
51
|
|
51
52
|
specify "the action is invoked" do
|
52
|
-
@controller.authorize.
|
53
|
+
expect(@controller.authorize).to be_truthy
|
53
54
|
end
|
54
55
|
end
|
55
56
|
|
56
57
|
context "and the contextual requirements are not fulfilled" do
|
57
58
|
before :each do
|
58
|
-
some_punk =
|
59
|
-
@controller.
|
59
|
+
some_punk = double('user', :brought_flowers? => false)
|
60
|
+
allow(@controller).to receive(:candidate).and_return(some_punk)
|
60
61
|
end
|
61
62
|
|
62
63
|
specify "the action is blocked" do
|
63
|
-
@controller.
|
64
|
-
|
65
|
-
@controller.authorize
|
64
|
+
expect(@controller.authorize).to be_falsey
|
66
65
|
end
|
67
66
|
end
|
68
67
|
end
|